Forms or windows authentication with active directory?

Discussion in 'ASP .Net Security' started by jp, Feb 5, 2004.

  1. jp

    jp Guest

    Hi, I'm having a hard time deciding (figuring out) how to implement
    security in my asp.net application.

    Requirements:
    - Use active directory as database of users to authenticate against
    - Have a login screen
    - IIS and SQL Server Database are on different servers (delegation and
    kerberos needed) to make trustedconnection=yes in connection string
    work (no username and password in connection string).

    If I use Windows Authentication in IIS and web.config, everything
    works fine, except there is no login screen, so someone can access an
    internal application by sitting at someone else's computer, if they
    are already logged in.

    If I use Forms Authentication in .NET and anonymous authentication in
    IIS (using a user from the domain) and impersonate=true (so the
    anonymous user can access active directory for authentication), the
    user being impersonated is used to access the SQL Server when I need
    the authenticated user to be the one to access SQL Server.

    The only way I can figure the second situation to work would be to
    have the authenticated user then assume impersonation and that seems
    like it's not a good idea.


    Any thoughts or ideas are more than welcome!

    thanks.
    jp, Feb 5, 2004
    #1
    1. Advertising

  2. You could call the LogonUser API with the username and password you get from
    the forms authentication in order to get a token that use can use to create
    a WindowsIdentity that you can impersonate with in code. An advantage to
    this is that you don't need delegation to hop to the SQL server as you get a
    primary token from calling LogonUser. There is a nice sample in MSDN in the
    docs on WindowsImpersonationContext.

    The downside is that if you are running IIS on Win2K, you need SYSTEM level
    privileges to call LogonUser, so that compromises your security. This
    restriction is lifted in Win2K3.

    You get much better integration with Windows auth right out of the box
    though. Perhaps you could convince the users to be more careful about
    locking their workstations when the leave and not letting other people
    access resources on their behalf?

    Another option would be to access SQL with a domain account based on your
    processModel or app pool identity. This would only work if you are using
    Windows auth to SQL just to avoid SQL auth, but don't need to access SQL as
    the individual user accounts. In that case, you don't need impersonation,
    and you could do Forms auth. with an Active Directory bind.

    HTH,

    Joe K.

    "jp" <> wrote in message
    news:...
    > Hi, I'm having a hard time deciding (figuring out) how to implement
    > security in my asp.net application.
    >
    > Requirements:
    > - Use active directory as database of users to authenticate against
    > - Have a login screen
    > - IIS and SQL Server Database are on different servers (delegation and
    > kerberos needed) to make trustedconnection=yes in connection string
    > work (no username and password in connection string).
    >
    > If I use Windows Authentication in IIS and web.config, everything
    > works fine, except there is no login screen, so someone can access an
    > internal application by sitting at someone else's computer, if they
    > are already logged in.
    >
    > If I use Forms Authentication in .NET and anonymous authentication in
    > IIS (using a user from the domain) and impersonate=true (so the
    > anonymous user can access active directory for authentication), the
    > user being impersonated is used to access the SQL Server when I need
    > the authenticated user to be the one to access SQL Server.
    >
    > The only way I can figure the second situation to work would be to
    > have the authenticated user then assume impersonation and that seems
    > like it's not a good idea.
    >
    >
    > Any thoughts or ideas are more than welcome!
    >
    > thanks.
    Joe Kaplan \(MVP - ADSI\), Feb 6, 2004
    #2
    1. Advertising

  3. jp

    jp Guest

    Thanks for the advice. I'm a little confused about WindowsIdentity.
    Can you give me an example of how to use LogonUser, get a token and
    create a WindowsIdentity?



    "Joe Kaplan \(MVP - ADSI\)" <> wrote in message news:<#>...
    > You could call the LogonUser API with the username and password you get from
    > the forms authentication in order to get a token that use can use to create
    > a WindowsIdentity that you can impersonate with in code. An advantage to
    > this is that you don't need delegation to hop to the SQL server as you get a
    > primary token from calling LogonUser. There is a nice sample in MSDN in the
    > docs on WindowsImpersonationContext.
    >
    > The downside is that if you are running IIS on Win2K, you need SYSTEM level
    > privileges to call LogonUser, so that compromises your security. This
    > restriction is lifted in Win2K3.
    >
    > You get much better integration with Windows auth right out of the box
    > though. Perhaps you could convince the users to be more careful about
    > locking their workstations when the leave and not letting other people
    > access resources on their behalf?
    >
    > Another option would be to access SQL with a domain account based on your
    > processModel or app pool identity. This would only work if you are using
    > Windows auth to SQL just to avoid SQL auth, but don't need to access SQL as
    > the individual user accounts. In that case, you don't need impersonation,
    > and you could do Forms auth. with an Active Directory bind.
    >
    > HTH,
    >
    > Joe K.
    >
    > "jp" <> wrote in message
    > news:...
    > > Hi, I'm having a hard time deciding (figuring out) how to implement
    > > security in my asp.net application.
    > >
    > > Requirements:
    > > - Use active directory as database of users to authenticate against
    > > - Have a login screen
    > > - IIS and SQL Server Database are on different servers (delegation and
    > > kerberos needed) to make trustedconnection=yes in connection string
    > > work (no username and password in connection string).
    > >
    > > If I use Windows Authentication in IIS and web.config, everything
    > > works fine, except there is no login screen, so someone can access an
    > > internal application by sitting at someone else's computer, if they
    > > are already logged in.
    > >
    > > If I use Forms Authentication in .NET and anonymous authentication in
    > > IIS (using a user from the domain) and impersonate=true (so the
    > > anonymous user can access active directory for authentication), the
    > > user being impersonated is used to access the SQL Server when I need
    > > the authenticated user to be the one to access SQL Server.
    > >
    > > The only way I can figure the second situation to work would be to
    > > have the authenticated user then assume impersonation and that seems
    > > like it's not a good idea.
    > >
    > >
    > > Any thoughts or ideas are more than welcome!
    > >
    > > thanks.
    jp, Feb 10, 2004
    #3
  4. The "school" solution is to use the updated sample from MSDN from the
    WindowsImpersonationContext class reference:

    http://msdn.microsoft.com/library/d...ImpersonationContextClassTopic.asp?frame=true

    The big thing to remember is that there are very important security
    limitations on calling LogonUser in Win2K that are not present in XP or 2K3.
    That can complicate your deployment scenario. Reading the documentation for
    LogonUser is very important.

    Joe K.

    "jp" <> wrote in message
    news:...
    > Thanks for the advice. I'm a little confused about WindowsIdentity.
    > Can you give me an example of how to use LogonUser, get a token and
    > create a WindowsIdentity?
    >
    >
    >
    > "Joe Kaplan \(MVP - ADSI\)" <>

    wrote in message news:<#>...
    > > You could call the LogonUser API with the username and password you get

    from
    > > the forms authentication in order to get a token that use can use to

    create
    > > a WindowsIdentity that you can impersonate with in code. An advantage

    to
    > > this is that you don't need delegation to hop to the SQL server as you

    get a
    > > primary token from calling LogonUser. There is a nice sample in MSDN in

    the
    > > docs on WindowsImpersonationContext.
    > >
    > > The downside is that if you are running IIS on Win2K, you need SYSTEM

    level
    > > privileges to call LogonUser, so that compromises your security. This
    > > restriction is lifted in Win2K3.
    > >
    > > You get much better integration with Windows auth right out of the box
    > > though. Perhaps you could convince the users to be more careful about
    > > locking their workstations when the leave and not letting other people
    > > access resources on their behalf?
    > >
    > > Another option would be to access SQL with a domain account based on

    your
    > > processModel or app pool identity. This would only work if you are

    using
    > > Windows auth to SQL just to avoid SQL auth, but don't need to access SQL

    as
    > > the individual user accounts. In that case, you don't need

    impersonation,
    > > and you could do Forms auth. with an Active Directory bind.
    > >
    > > HTH,
    > >
    > > Joe K.
    > >
    > > "jp" <> wrote in message
    > > news:...
    > > > Hi, I'm having a hard time deciding (figuring out) how to implement
    > > > security in my asp.net application.
    > > >
    > > > Requirements:
    > > > - Use active directory as database of users to authenticate against
    > > > - Have a login screen
    > > > - IIS and SQL Server Database are on different servers (delegation and
    > > > kerberos needed) to make trustedconnection=yes in connection string
    > > > work (no username and password in connection string).
    > > >
    > > > If I use Windows Authentication in IIS and web.config, everything
    > > > works fine, except there is no login screen, so someone can access an
    > > > internal application by sitting at someone else's computer, if they
    > > > are already logged in.
    > > >
    > > > If I use Forms Authentication in .NET and anonymous authentication in
    > > > IIS (using a user from the domain) and impersonate=true (so the
    > > > anonymous user can access active directory for authentication), the
    > > > user being impersonated is used to access the SQL Server when I need
    > > > the authenticated user to be the one to access SQL Server.
    > > >
    > > > The only way I can figure the second situation to work would be to
    > > > have the authenticated user then assume impersonation and that seems
    > > > like it's not a good idea.
    > > >
    > > >
    > > > Any thoughts or ideas are more than welcome!
    > > >
    > > > thanks.
    Joe Kaplan \(MVP - ADSI\), Feb 10, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. techfuzz
    Replies:
    1
    Views:
    1,329
    Yan-Hong Huang[MSFT]
    Aug 12, 2003
  2. Marty Underwood

    Forms Authentication +Active Directory +Roles

    Marty Underwood, Oct 29, 2003, in forum: ASP .Net
    Replies:
    4
    Views:
    704
    Marty Underwood
    Oct 30, 2003
  3. - Steve -
    Replies:
    7
    Views:
    2,371
    - Steve -
    Jun 4, 2004
  4. =?Utf-8?B?RWdiZXJ0?=

    Asp.Net Forms authentication using Active Directory

    =?Utf-8?B?RWdiZXJ0?=, Nov 3, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    533
    =?Utf-8?B?RWdiZXJ0?=
    Nov 3, 2004
  5. Tdar
    Replies:
    2
    Views:
    8,919
    Arnel
    Oct 11, 2005
Loading...

Share This Page